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Abstract. The syntax of an imperative language does not mention explicitly the state, while its 
denotational semantics has to mention it. In this paper we show that the equational proofs about an 
imperative language may hide the state, in the same way as the syntax does. 

Introduction 

The evolution of the state of the memory in an imperative program is a computational effect: the state is 
never mentioned as an argument or a result of a command, whereas in general it is used and modified dur- 
ing the execution of commands. Thus, the syntax of an imperative language does not mention explicitly 
the state, while its denotational semantics has to mention it. This means that the state is encapsulated: its 
interface, which is made of the functions for looking up and updating the values of the locations, is sep- 
arated from its implementation; the state cannot be accessed in any other way than through his interface. 
In this paper we show that equational proofs in an imperative language may also encapsulate the state: 
proofs can be performed without any knowledge of the implementation of the state. We will see that 
a naive approach (called "apparent") cannot deal with the updating of states, while this becomes possi- 
ble with a slightly more sophisticated approach (called "decorated"). This is expressed in an algebraic 
framework relying on category theory. To our knowledge, the first categorical treatment of computa- 
tional effects, using monads, is due to Moggi [Moggi 1991]. The examples proposed by Moggi include 
the side-effects monad T(A) = (Ax St) St where St is the set of states. Later on, Plotkin and Power used 
Lawvere theories for dealing with the operations and equations related to computational effects. The 
Lawvere theory for the side-effects monad involves seven equations [Plotkin & Power 2 0021. In Sec- 
tion Q] we describe the intended denotational semantics of states. Then in Section |2] we introduce three 
variants of the equational logic for formalizing the computational effects due to the states: the apparent, 
decorated an explicit logics. This approach is illustrated in Section [3]by proving some of the equations 
from BPlotkin & Power 20021 . using rules which do not mention any type of states. 

1 Motivations 

This section is made of three independent parts. Section 11.11 is devoted to the semantics of states, an 
example is presented in Section [L2l and our logical framework is described in Section [PI 
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1.1 Semantics of states 

This section deals with the denotational semantics of states, by providing a set-valued interpretation of 
the lookup and update operations. Let St denote the set of states. Let hoc denote the set of locations 
(also called variables or identifiers). For each location i, let VaU denote the set of possible values for i. 
For each location i there is a lookup function for reading the value of location i in the given state, without 
modifying this state: this corresponds to a function lookup^ j : St — » VaU or equivalently to a function 
lookup i : St — > Valj x St such that lookup t (s) = (lookup j i(s),s) for each state s. In addition, for each 
location i there is an update function update { : VaU x St — » St for setting the value of location i to the 
given value, without modifying the values of the other locations in the given state. This is summarized 
as follows, for each i G hoc : a set VaU, two functions lookup i y : St — > Valj and update i : Valj x St — > St, 
and equations ( 1 ) : 

(1.1) Ma G Va/,- , Vs G 5f , lookupj { (update i(a,s)) = a , 

(1.2) Va G Vfo/;, Vs G S? , lookup j y (update t (a,s)) = lookup j^s) for every j G Loc, j ^ i ■ 

The state can be observed thanks to the lookup functions. We may consider the tuple (lookup i ^ieioc '■ 
St — > YlieLoc Vah- If this function is an isomorphism, then Equations (1) provide a definition of the update 
functions. In [Plo tkin & Power 2 0021 an equational presentation of states is given, with seven equations: 
in Remark [TTT1 these equations are expressed according to IMellies '201011 and they are translated in our 
framework. We use the notations /,• = lookup { : St — > Valj x St, l^\ = lookup j y : St — > VaU and w; = update^ : 
Valt x St — > St, and in addition id{ : VaU — > VaU and q; : VaU X St — > St respectively denote the identity of 
VaU and the projection, while perni L j : Valj x Valj x St — > Vfa/,- x VfoZ; x 5? permutes its first and second 
arguments. 

Remark 1.1. The equations in I Plot kin & Power 2 002 ] can be expressed as the following Equations (2): 

(2.1) Annihilation lookup-update. Reading the value of a location i and then updating the location i 
with the obtained value is just like doing nothing. 

Vz G hoc, \/s G St, Ui(U(s)) = s G St 

(2.2) Interaction lookup-lookup. Reading twice the same location loc is the same as reading it once. 

V/ G Loc, Ms G St, U(qj(U(s))) = U(s) G VaU X St 

(2.3) Interaction update-update. Storing a value a and then a value a' at the same location i is just like 
storing the value a 1 in the location. 

V/ G Loc, Ms G St, Ma, a' G VaU, Ui(a' ,Ui(a,s)) = ui(a' ,s) G St 

(2.4) Interaction update-lookup. When one stores a value a in a location i and then reads the location i, 
one gets the value a. 

Mi G Loc, Ms G St, Ma G VaU, l^\ (uj(a,s)) = a G VaU 

(2.5) Commutation lookup-lookup. The order of reading two different locations i and j does not matter. 

Mi j G Loc, Ms G St, (idj x lj)(h(s)) = perm, j((idj x <*,•)(// (j))) G VaU x Valj x St 

(2.6) Commutation update-update. The order of storing in two different locations i and j does not matter. 

Mi / j G Loc, Ms G St, Ma G VaU, Mb G Valj, uj(b,Ui(a,s)) = Ui(a,Uj(b,s)) G 5? 

(2.7) Commutation update-lookup. The order of storing in a location i and reading in another location j 
does not matter. 

Mi 7^ j G Loc, Ms G St, Ma G VaU, lj(ui(a,s)) = (idj x ufjiperm jj(a,l j(s))) G Valj x St 

Proposition 1.2. Lef us assume that {/n^'eioc : — > Il/eLoc^ 2 ^ iS invertible. Then Equations (I) are 
equivalent to Equations (2). 
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Proof. It may be observed that (2.4) is exactly (1.1). In addition, (2.7) is equivalent to (1.2) : indeed, 
(2.7) is equivalent to the conjunction of its projection on Valj and its projection on St; the first one is 
lj,i(ui(a,s)) = lj,i(s), which is (1.2), and the second one is ut(a,s) = w(a,s). Equations (2.2) and (2.5) 
follow from qj(lj(s)) = s. For the remaining equations (2.1), (2.3) and (2.6), which return states, it is 
easy to check that for each location k, by applying 1^ to both members and using equation (1.1) or (1.2) 
according to k, we get the same value in Valu for both hand-sides. Then equations (2.1), (2.3) and (2.6) 
follow from the fact that {l^\)ieLoc '■ St — > Ilieioc ^ a h * s invertible. □ 
Proposition 11.21 will be revisited in Section [3l where it will be proved that equations (1) imply equa- 
tions (2) without ever mentioning explicitly the state in the proof. 

1.2 Computational effects: an example 

In an informal way, we consider that a computational effect occurs when there is an apparent mismatch, 
i.e., some lack of soundness, between the syntax and the denotational semantics of a language. For 
instance in an object-oriented language, the state of an object does not appear explicitly as an argument 
nor as a result of any of its methods. In this section, as a toy example, we build a class BankAccount 
for managing (very simple!) bank accounts. We use the types int and void, and we assume that int 
is interpreted by the set of integers Z and void by a singleton {*}. In the class BankAccount, there is 
a method balance () which returns the current balance of the account and a method deposit (x) for 
the deposit of x Euros on the account. The deposit method is a modifier, which means that it can use 
and modify the state of the current account. The balance method is an inspector, or an accessor, which 
means that it can use the state of the current account but it is not allowed to modify this state. In the 
object-oriented language C++, a method is called a member function; by default a member function is a 
modifier, when it is an accessor it is called a constant member function and the keyword const is used. 
So, the C++ syntax for declaring the member functions of the class BankAccount looks like: 

int balance () const ; 
void deposit (int) ; 

• Forgetting the keyword const, this piece of C++ syntax can be translated as a signature Bank app , 
which we call the apparent signature (we use the word "apparent" in the sense of "seeming" i.e., 
"appearing as such but not necessarily so"). 

I balance : void — > int 
Bank m : < 

I deposit : int — > void 

In a model (or algebra) of the signature Bank avp , the operations would be interpreted as functions: 

[[balance]] : {*} ->■ Z 
[[deposit]] : Z -> {*} 

which clearly is not the intended interpretation. 

• In order to get the right semantics, we may use another signature Bank exp \, which we call the 
explicit signature, with a new symbol state for the "type of states": 



I balance : state — > int 
Bank exp \ : < 

I deposit : int x state — > state 
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The intended interpretation is a model of the explicit signature Bank expi , with St denoting the set 
of states of a bank account: 

J [[balance]] :St^Z 

1 [[deposit]] :ZxSt^St 

So far, in this example, we have considered two different signatures. On the one hand, the apparent 
signature Bank app is simple and quite close to the C++ code, but the intended semantics is not a model of 
Bank app . On the other hand, the semantics is a model of the explicit signature Bank exp \, but Bank exp \ is 
far from the C++ syntax: actually, the very nature of the object-oriented language is lost by introducing 
a "type of states". Let us now define a decorated signature Bank& cco , which is still closer to the C++ 
code than the apparent signature and which has a model corresponding to the intended semantics. The 
decorated signature is not exactly a signature in the classical sense, because there is a classification of its 
operations. This classification is provided by superscripts called decorations: the decorations ( 1 ) and 
(2) correspond respectively to the object-oriented notions of accessor and modifier. 



Bank 



deco • 



balance (1) : void — > int 
deposit (2) : int — > void 



The decorated signature is similar to the C++ code, with the decoration ( 1 ) corresponding to the keyword 
const. The apparent specification Bank app may be recovered from Bank^ co by dropping the decorations. 
In addition, we claim that the intended semantics can be seen as a decorated model of this decorated 
signature: this will become clear in Section 12.31 In order to add to the signature constants of type 
int like 0, 1, 2, ...and the usual operations on integers, a third decoration is used: the decoration 
(0) for pure functions, which means, for functions which neither inspect nor modify the state of the 
bank account. So, we add to the apparent and explicit signatures the constants 0, 1, . . . : void — > int 
and the operations +,-,*: int x int — > int, and we add to the decorated signature the pure constants 
(0) , 1 (0) , . . . : void — > int and the pure operations + (0) , - (0) , * (0) : int x int — > int. For instance the 
C++ expressions deposit (7) ; balance () and 7 + balance () can be seen as the decorated terms: 

balance (1) odeposit (2) o7 (0) and + (0) o (7 (0) ,balance (1) ) 

which may be illustrated as: 

7 C0) deposit™ balance™ 

void > int > void > int 

(7 (0) .balance™) +(« 

and void !• int x int > int 

These two decorated terms have different effects: the first one does modify the state while the second 
one is an accessor; however, both return the same integer. Let us introduce the symbol ~ for the relation 
"same result, maybe distinct effects". Then: 

balance (1) odeposit (2) o7 (0) ~ + (0) o <7 (0) ,balance (1) ) 
1.3 Diagrammatic logics 

In this paper, in order to deal with a relevant notion of morphisms between logics, we define a logic as 



a diagrammatic logic, in the sense of |Dommguez & Duval 2010 1. For the purpose of this paper let us 



simply say that a logic «£? determines a category of theories T which is cocomplete, and that a morphism 
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of logics is a left adjoint functor, so that it preserves the colimits. The objects of T are called the a 
theories of the logic Jzf . Quite often, T is a category of structured categories. The inference rules of the 
logic J£ describe the structure of its theories. When a theory <J> is generated by some presentation or 
specification L, a model of L with values in a theory is a morphism M : <J> — > in T. 



The monadic equational logic. For instance, and for future use in the paper, here is the way we 
describe the monadic equational logic J£ meqn - In order to focus on the syntactic aspect of the theories, 
we use a congruence symbol "=" rather than the equality symbol "=". Roughly speaking, a monadic 
equational theory is a sort of category where the axioms hold only up to congruence (in fact, it is a 2- 
category). Precisely, a monadic equational theory is a directed graph (its vertices are called objects or 
types and its edges are called morphisms or terms) with an identity term idx '■ X — >• X for each type X and 
a composed term g o / : X — > Z for each pair of consecutive terms (/ : X — > Y, g : Y — > Z) ; in addition 
it is endowed with equations f = g : X —>Y which form a congruence, which means, an equivalence 
relation on parallel terms compatible with the composition; this compatibility can be split in two parts: 
substitution and replacement. In addition, the associativity and identity axioms hold up to congruence. 
These properties of the monadic equational theories can be described by a set of inference rules, as in 
Figure Q] 



X f-X->Y g:Y->Z 

(id) (comp) 

id x :X->X v> gof:X->Z 

f:X^Y f-X-^Y f-X^Y g:Y^Z h:Z^W 

(ld-src) (id-tgt) — — (assoc) — _ r— : 

foid x =f id Y °f = f ho(gof) = (hog) of 

f — p f ' = g g = h 
(=" refl ) J^y (=-sym) — — (=-trans) ~J^h 

g\of = giof:X^Z gofi =gof 2 :X ->Z 



Figure 1 : Rules of the monadic equational logic 



Adding products to the monadic equational logic. In contrast with equational theories, the existence 
of products is not required in a monadic equational theory. However some specific products may exist. 
A product in a monadic equational theory T is "up to congruence", in the following sense. Let (F,), e / 
be a family of objects in T, indexed by some set /. A product with base (^)i€/ i s a cone (<7i : Y ~ * ^')('e/ 
such that for every cone (f : X Yj) ie j on the same base there is a term / = {f)iei '■ X — > Y such that 
q, ■ o / = f for each i, and in addition this term is unique up to congruence, in the sense that if g : X — > Y 
is such that qiog = f for each i then g = /. When / is empty, we get a terminal object 1, such that for 
every X there is an arrow ( }x '■ X — > 1 which is unique up to congruence. The corresponding inference 
rules are given in Figure |2] The quantification "Vf, or "V/ £ /", is a kind of "syntactic sugar": when 
occuring in the premisses of a rule, it stands for a conjunction of premisses. 
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When (qi : F — > Yj) iel is a product: 



When 1 is a terminal type ("empty product"): 




(tuple-unique) 



g:X^Y V_iqicg = fi 
8 = {fj)j 



(final) 



X 



(final-unique) 



Figure 2: Rules for products 



2 Three logics for states 

In this section we introduce three logics for dealing with states as computational effects. This generalizes 
the example of the bank account in Section [PI We present first the explicit logic (close to the semantics), 
then the apparent logic (close to the syntax), and finally the decorated logic and the morphisms from the 
decorated logic to the apparent and the explicit ones. In the syntax of an imperative language there is no 
type of states (the state is "hidden") while the interpretation of this language involves a set of states St. 
More precisely, if the types X and Y are interpreted as the sets [[X]] and [[Y]], then each term / :X — > F 
is interpreted as a function [[/]] : [[X]] x St — > [[Y]} x St. In Moggi's paper introducing monads for effects 
[Moggi 1991] such a term / : X — > Y is called a computation, and whenever the function [[/]] is [[f]]o x 
idst for some [[f]]o : [[X]} — > [[Y]] then / is called a value. We keep this distinction, using modifier and 
pure term instead of computation and value, respectively. In addition, an accessor (or inspector) is a term 
/ : X -> Y that is interpreted by a function [[/]] = ([[/]] \,qx), for some [[f}} Y : [[X]} x St -> [[F]], where 
<7x : [[X]] xSt ^ St is the projection. It follows that every pure term is an accessor and every accessor is a 
modifier. We will respectively use the decorations (0) , ( 1 ) and (2) , written as superscripts, for pure terms, 
accessors and modifiers. Moreover, we distinguish two kinds of equations: when f,g : X — > Y axe parallel 
terms, then a strong equation / = g is interpreted as the equality [[/]] = [[g]] : [[X]] x St — > [[F]] x St, 
while a weak equation / ~ g is interpreted as the equality py o [[/]] = pyo[[g]] : [[X]] xSt — » [[F]], where 
/?y : [[F]] x — > [[F]] is the projection. Clearly, strong and weak equations coincide on accessors and on 
pure terms, while they differ on modifiers. As in Section [TTT1 we consider some given set of locations hoc 
and for each location i a set Vali of possible values for i. The set of states is defined as St = YlieLoc V a h, 
and the projections are denoted by lookup^ x : St —¥ Vali. For each location i, let update t : Vali x St — > St 
be defined by Equations (1) as in Section [TTT1 In order to focus on the fundamental properties of states 
as effects, the three logics for states are based on the "poor" monadic equational logic (as described in 
Section O- 

2.1 The explicit logic for states 

The explicit logic for states Jt?e Xp i is a kind of "pointed" monadic equational logic: a theory @ e xpi for 
Jzf exp i is a monadic equational theory with a distinguished object S, called the type of states, and with a 
product-with-5 functor X x S. As in Section [L2l the explicit logic provides the relevant semantics, but it 
is far from the syntax. The explicit theory for states State exp i is generated by a type V,- and an operation 
Z,-,i : 5 — > Vi for each location i, which form a product (Z; i : S — > V,), e L 0C . Thus, for each location i there 
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is an operation Uj : V,- x S -4 S, unique up to congruence, which satisfies the equations below (where 
Pi : Vi x S — > Vi and q\ : V{ x S — > S are the projections): 

operations Z (i i : S —>Vj , ui : Vi x S — > S 
State exp \ : < product (Z u : S -4 V/)ieZoc 

^ equations Z^i o m,- = /?,• : V; x S — > Vj , Ij.i o it; = Z y j o g,- : V,- x 5 — > V} for each j 7^ / 

Let us define the explicit theory Set exp \ as the category of sets with the equality as congruence and with the 
set of states St = YijeLoc ^ a h as i ts distinguished set. The semantics of states, as described in Section [TTT1 
is the model M exp i : State exp \ — > Set exp \ which maps the type V, to the set Vali for each i G hoc, the type S 
to the set St, and the operations In and m, to the functions lookup l and update { , respectively. 



2.2 The apparent logic for states 

The apparent logic for states J?? app is the monadic equational logic (Section [T31 ). As in Section [L2l the 
apparent logic is close to the syntax but it does not provide the relevant semantics. The apparent theory 
for states State app can be obtained from the explicit theory State exp \ by identifying the type of states S 
with the unit type 1. So, there is in State app a terminal type 1 and for each location i a type Vi for the 
possible values of i and an operation V, for observing the value of i. A set-valued model for this 

part of State app , with the constraint that for each i the interpretation of Vj is the given set Vali, is made of 
an element a, € Vali for each i (it is the image of the interpretation of Thus, such a model corresponds 
to a state, made of a value for each location; this is known as the states-as-models or states-as-algebras 
point of view MGaudel et al. 19961 . In addition, it is assumed that in State app the operations Z/'s form a 
product (Z; : 1 — > V^), e ^ oc . This assumption implies that each Z ( - is an isomorphism, so that each Vi must 
be interpreted as a singleton: this does not fit with the semantics of states. However, we will see in 
Section [2731 that this assumption becomes meaningful when decorations are added, in a similar way as in 
the bank example in Section IT721 Formally, the assumption that (Z, : 1 — > V,) ie L OC is a product provides 
for each location i an operation u t : Vi — > 1, unique up to congruence, which satisfies the equations below 
(where idj : V, — > Vi is the identity and (),• = ()(/, : V,- —s> 1) : 



State app 



operations Z, : 1 — >■ Vi , ui : Vi — > 1 
product (/,-:!—> Vi) iG L OC with terminal type 1 
_ equations Z,- o Uj = idj : Vi -4 V,- , lj o k ( - = Z; o ( ),• : Vi — > Vj for each j ^ i 



At first view, these equations mean that after Ui{a) is executed, the value of i is put to a and the value of j 
(for j y£ i) is unchanged. However, as noted above, this intuition is not supported by the semantics in the 
apparent logic. However, the apparent logic can be used for checking the validity of a decorated proof, 
as explained in Section [ 



2.3 The decorated logic for states 

Now, as in Section 11.21 we introduce a third logic for states, which is close to the syntax and which 
provides the relevant semantics. It is defined by adding "decorations" to the apparent logic. A theory 
®deco for the decorated logic for states J^deco is made of: 

• A monadic equational theory @( 2 ). The terms in @' 2 ' may be called the modifiers and the equations 
f = g may be called the strong equations. 
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• Two additional monadic equational theories ®^ and @W, with the same types as 0' 2 ', and such 
that C ©W C @( 2 ) and the congruence on 0(°) and on is the restriction of the congruence 
on ®( 2 \ The terms in 1 - 1 ) may be called the accessors, and if they are in 

©(o) they 

may be called 

the pure terms. 

• A second equivalence relation ~ between parallel terms in 0' 2 \ which is only "weakly" compati- 
ble with the composition; the relation ~ satisfies the substitution property but only a weak version 
of the replacement property, called the pure replacement: if f\ ~ f 2 : X — > Y and g : Y — > Z then in 
general go f x ^ g of 2 , except when g is pure. The relations / ~ g are called the weak equations. 
It is assumed that every strong equation is a weak equation and that every weak equation between 
accessors is a strong equation, so that the relations = and ~ coincide on and on ©W. 

We use the following notations, called decorations: a pure term / is denoted f(°\ an accessor / is 
denoted /W, and a modifier / is denoted f( 2 >; this last decoration is unnecessary since every term is a 
modifier, however it may be used for emphasizing. Figure [3]provides the decorated rules, which describe 
the properties of the decorated theories. For readability, the decoration properties may be grouped with 
other properties: for instance, "/W ~ gi 1 )" means "/W and g^ and / ~ g". 



Rules of the monadic equational logic, and: 

X f(°) g (°) /(°) /(!) M 

(0-id) (0-comp) — — (0-to-l) --- (1-comp) — — 

idf-.x^x (g°fr> f w {g°fr> 

(l-~-to-=) - (=-to-~) J —^- 

f = g f~g 

f r^i I r^j h 

(—reft) — — (~-sym) J - § (—trans) I f-| 

, u , f:X^Y gl ~g 2 :Y^Z fl ^f 2:X ^Y g(°) : r -> Z 

(~-subs) (0-~-repl) 

gt °f~g2°f -X ->Z gof Y ~gof 2 :X^Z 



Figure 3: Rules of the decorated logic for states 

Some specific kinds of products may be used in a decorated theory, for instance: 

• A distinguished type 1 with the following decorated terminality property: for each type X there is 
a pure term ( )x '■ X — > 1 such that every modifier g : X — > 1 satisfies g ~ ( }x. It follows from the 
properties of weak equations that 1 is a terminal type in 0(°) and in ®W. 

• An observational product with base (Fi)ie/ is a cone of accessors : Y — > F;)j G j such that for every 
cone of accessors (/; :X — y F,), e / on the same base there is a modifier / = (/,), e / : X — > Y such that 
^•o/~ fi for each i, and in addition this modifier is unique up to strong equations, in the sense 
that if g : X — > Y is a modifier such that qi o g ~ f t for each i then g = f. An observational product 
allows to prove strong equations from weak ones: by looking at the results of some observations, 
thanks to the properties of the observational product, we get information on the state. 
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When 1 is a decorated terminal type: 

(0-rinal) — . . — (~-final-unique) - ' — ~^ - 

When {qf ] :Y ->Yfi i is an observational product: (obs-tuple) ' ' — 



(obs-tuple-proj-;) — - — — — (obs-tuple-unique) — — 

<H°(fi)i~fi 8={fi)i 



Figure 4: Rules for some decorated products for states 

The decorated theory of states State& eco is generated by a type V; and an accessor /f 1 ' :l->Vi for 
each i £ hoc, which form an observational product (/^ : 1 — s> V,) iG l 0C . The modifiers w,'s are defined (up 
to strong equations), using the property of the observational product, by the weak equations below: 

operations if^ : 1 ->• Vi , wf ' : V { ->■ 1 

Statedeco '■ i observational product (Z^ : 1 — » V^e^c with decorated terminal type 1 

equations o m ~ id, : V,- — )■ V,- , Z y - o ~ lj o ( ),- : V,- — > V} for each j / z 

The decorated theory of sets Sefdeco is built from the category of sets, as follows. There is in Seideco 
a type for each set, a modifier : X — > Y for each function f : X x St Y x St, an accessor : 
X -> F for each function f : X x St —>Y, and a pure term /(°) : X -)• F for each function / : X -)• F, 
with the straightforward conversions. Let , g^ : X — >■ Y corresponding to /, g : X x St — > Y x St. 
A strong equation / = g is an equality / = g : X x St — > Y x St, while a weak equation / ~ g is an 
equality pof = pog; XxSt^-Y, where p : Y x St — >■ F is the projection. For each location z the 
projection lookup ( : 5? — »■ VaU corresponds to an accessor lookup^ : 1 — >■ Vfo/,- in Setd eco , so that the 
family (lookup^ )i e u>c forms an observational product in Setfe co . We get a model Md eco of State^ co with 
values in Se^deco by mapping the type V; to the set Va/,- and the accessor to the accessor lookup^, for 

(2) (2) 

each i € Loc. Then for each i the modifier w- is mapped to the modifier update) . 



2.4 From decorated to apparent 

Every decorated theory Odeco gives rise to an apparent theory @ app by dropping the decorations, which 
means that the apparent theory app is made of a type X for each type X in @deco, a term / : X — > Y for 
each modifier / : X — > Y in @deco (which includes the accessors and the pure terms), and an equation 
/ = g for each weak equation / ~ g in @deco (which includes the strong equations). Thus, the distinction 
between modifiers, accessors and pure terms disappears, as well as the distinction between weak and 
strong equations. Equivalently, the apparent theory @ app can be defined as the apparent theory ®( 2 ) 
together with an equation / = g for each weak equation / ~ g in @deco which is not associated to a 
strong equation in @deco (otherwise, it is yet in O^). Thus, a decorated terminal type in ©deco becomes a 
terminal type in app and an observational product (q^ : Y — > F;); in @deco becomes a product (g, : F — >■ 
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Yj)i in app . In the same way, each rule of the decorated logic is mapped to a rule of the apparent logic 
by dropping the decorations. This property can be used for checking a decorated proof in two steps, by 
checking on one side the undecorated proof and on the other side the decorations. This construction of 
©app from ©deco, by dropping the decorations, is a morphism from J*?deco to Jz? ap p, denoted F app . 

2.5 From decorated to explicit 

Every decorated theory ©deco gives rise to an explicit theory © eX pi by expanding the decorations, which 
means that the explicit theory © exp i is made of: 

• A type X for each type X in ©deco; projections are denoted by px :X x S — > X and qx :X x S — > S. 

• A term f :X x S — > F x S for each modifier / : X — > Y in ©deco such that: 

- if / is an accessor then there is a term f\ : X x S — > Y in © eX pi such that / = (fi,qx), 

- if moreover / is a pure term then there is a term fo : X — > Y in © exp i such that fi = fo° Px '■ 
XxS^Y, hence / = (f o p x ,qx) = fo x id s in @ expl . 

• An equation / = g : X X 5 — > Y X S for each strong equation / = g : X — > Y in ©deco- 

• An equation py o f = p Y og : X x S — > Y for each weak equation / ~ g : X — > Y in ©deco- 

• A product (qi t i : Y x S — > Fj); for each observational product (q^ : 7 — > F,),- in ©deco- 

This construction of @ exp i from ©deco is a morphism from Jz?deco to Jz? eX pi, denoted F exp i and called the 
expansion. The expansion morphism makes explicit the meaning of the decorations, by introducing a 
"type of states" S. Thus, each modifier gives rise to a term / which may use and modify the state, 
while whenever /W is an accessor then / may use the state but is not allowed to modify it, and when 
moreover /W is a pure term then / may neither use nor modify the state. When = g^ then / and 
g must return the same result and the same state; when ~ g^ then / and g must return the same 
result but maybe not the same state. We have seen that the semantics of states cannot be described in 
the apparent logic, but can be described both in the decorated logic and in the explicit logic. It should 
be reminded that every morphism of logics is a left adjoint functor. This is the case for the expansion 
morphism ,F exp i : Jz?deco - > =2expi: it is a left adjoint functor F exp i : Td eC o - > T eX pi, its right adjoint is denoted 
G eX pi- In fact, it is easy to check that SW d e C o = G eX pi(5e/ eX pi), and since State exp \ = F cxv \{State Aeco ) it 
follows that the decorated model Md eco : State^m — > Setd eco and the explicit model M exp i : State exp \ — > 
Set exp \ are related by the adjunction F exp i H G exp i- This means that the models Md eco and M exp i are two 
different ways to formalize the semantics of states from Section ITTTl In order to conclude Section [2l the 
morphims of logic F app and F exp i are summarized in Figured 

3 Decorated proofs 

The inference rules of the decorated logic Jzfdeco are now used for proving some of the Equations (2) (in 
Remark [TTI) . All proofs in this section are performed in the decorated logic; for readability the identity 
and associativity rules (id-src) , (id-tgt) and (assoc) are omitted. Some derived rules are proved in 
Section [3TTI then Equation (2.1) is proved in Section [3721 In order to deal with the equations with two 
values as argument or as result, we use the semi -pure products introduced in [Dumas e t al. 20111 : the 
rules for semi-pure products are reminded in Section 1331 then all seven Equations (2) are expressed in 
the decorated logic and Equation (2.6) is proved in Section [3741 Proving the other equations would be 
similar. We use as axioms the fact that is an accessor and the weak equations in Stated eco (Section l2~3T ). 



J.-G. Dumas, D. Duval, L. Fousse & J.-C. Reynaud 



55 



^app ^ ^deco ' ^expl 


/ 
/ 
/ 


X^Y 
X->Y 
X->Y 


modifier / : X — > Y 
accessor ft 1 ' : X — > Y 
pure term /(°) : X — > Y 


f:XxS^YxS 
fx : X x 5 -> Y 
fo:X^Y 


f = g:X^Y 
f = g :X^Y 


strong equation / = g : X — > Y 
weak equation / ~ g : X — > Y 


f = g:XxS^Y xS 
p Y °f = PY°g--XxS^Y 



Figure 5: A span of logics for states 

3.1 Some derived rules 

Let us now derive some rules from the rules of the decorated logic (Figures [3] and @]). 



1 ' f = (U 

,,,, /('>:X-H g^:X-»l 



/W;Z->-y gW;Y->-l 



UK 



g°f = h 
0* °/ = Ufa 



(E 



(0), 



/(°) : X 1 



1 ' 

J^g 



(E 



(0) f^-.X-^Y g^-.Y^-t h^-.X^t 



(4 0) ) 



g°f = h 
()x°f = idt 



Figure 6: Some derived rules in the decorated logic for states 



Proof. The derived rules in the left part of Figure [6] can be proved as follows. The proof of the rules in 
the right part are left to the reader. 



(0-final) 



X 



(1— to-=) 



m(0) 



f=()x (E\ l) ) 



gW:l->X 



fW-.t^X 3 \ g^Qz (1-comp)^ - A ^ r - ^ - 



(e[ 1) ) J — (=-sym) 



(=-trans) 



f = 8 (*f) 



X 



(0-id) 



(0-final) - 
(0-to-l) (0-to-l) 



gof = h (E 3 
1 

id^ ] : 1 ->• 1 



() x of=id t (E^) 



56 



Decorated proofs for computational effects: States 



□ 



3.2 Annihilation lookup-update 

It is easy to check that the decorated equation uf^ oli 1 ^ = idfp gets expanded as Uj oZ; = ids, which 
clearly gets interpreted as Equation (2.1) in Remark [Tj] Let us prove this decorated equation, using the 
axioms (for each location i), from State deco in Section [231 

(A ) if' , (Ai ) h o m ~ idi , (A 2 ) lj o w; ~ Z 7 - o ( ),• for each 7 ^ i . 

Proposition 3.1. For each location i, reading the value of a location i and then updating the location i 
with the obtained value is just like doing nothing. 

Proof. Let i be a location. Using the unicity property of the observational product, we have to prove that 
Ik o U{ o li ryj l k : 1 — >■ Vk for each location k . 

• When k = i, the substitution rule for ~ yields: 

(Ai) Ijouj ~ idi 

(^-subs) 



/; O O ~ /; 

• When k ^ i, using the substitution rule for ~ and the replacement rule for = we get: 

(i) 



(=-repl) 



, , . (A2) h ou i~k°{)i , , , h°{)i°h = h 
(~-subs) (=-tO-~) 

l k ouioli ~/jo ()ioli h {)i°U~lk 
(~-trans) 



□ 



Remark 3.2. At the top of the right branch in the proof above, the decoration (1) for could not be 

(2) 

replaced by (2). Indeed, from Z- we can derive the weak equation (}; oZ; ~ idi, but this is not sufficient 
for deriving l k ° ( ),• o ~ h by replacement since lk is not pure. 



3.3 Semi-pure products 

Let ©deco be a theory with respect to the decorated logic for states and let ©(°) be its pure part, so 
that 0(°) is a monadic equational theory. The product of two types X\ and X2 in ©deco is defined as 
their product in ©f - 1 (it is a product up to strong equations, as in Section 11.11) . The projections from 
Xi x X2 to X\ and X2 are respectively denoted by 7t^ and when the types X\ and X2 are clear 
from the context. The product of two pure morphisms f^ : Xi — >• Y\ and f 2 ^ : X2 — >• Y2 is a pure 
morphism (f\ x /2)^ : Xi x X2 — > Yi x Y2 subject to the rules in Figure [TJ which are the usual rules 
for products up to strong equations. Moreover when Xi or X2 is 1 it can be proved in the usual way 
that the projections 7r|°' : Xi X 1 — > X\ and ft^ ' : 1 x X2 — )• X2 are isomorphisms. The permutation 
perm^ Xi : Xi x X2 — > X2 x Xi is defined as usual by %\ o perm Xi Xl = %2 and %2 o perm Xi X2 = %\ . 

The rules in Figure [TJ which are symmetric in f\ and /2> cannot be applied to modifiers: in- 
deed, the effect of building a pair of modifiers depends on the evaluation strategy. However, following 
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(O-prod) Jx 1 - 



(/ix/ 2 )( ):IixX 2 ^F lX F 2 

fM-.X^Yi /f:X 2 ^F 2 f^'.X^Y, #:Z 2 H 
(O-proj-1) ^- ' ? 2 - (O-proj-2) ^ 1 - . i2 - 

. :Xi xX 2 ->Fi xF 2 TClOg^/iOTC! K 2 og = f 2 oK 2 

(O-prod-umque) 

g = /lX/2 



Figure 7: Rules for products of pure morphisms 



IIDumas et al. 20111 . we define the left semi-pure product of an identity idx and a modifier / : X 2 — >• F 2 , 
as a modifier Z<ix b< / : X x X 2 - x X x F 2 subject to the rules in Figure [8j which form a decorated version 
of the rules for products. Symmetrically, the right semi-pure product of a modifier / : Xi — > Y\ and an 
identity idx is a modifier / x z'cfx : Xi x X — >■ Fi x X subject to the rules symmetric to those in Figure [8] 



/I ft At /(2);X 2 ^F 2 

(left-prod) -7- 

(zJ x x/)( 2 ):XxX 2 ^XxF 2 

n ft • n / (2): ^2^F 2 . /( 2 ) :X 2 

(left-proj-1) — — (left-proj-2) 



(left-prod-unique) 



TCi o (id x x /) ~ X\ ^2° (id x x/) =f°n 2 

g^ : X X X 2 — ► F X F 2 7Ti o g ~ 7JJ 7l 2 og = foK 2 



g = id x x / 



Figure 8: Rules for left semi -pure products 

Let us add the rules for semi-pure products to the decorated logic for states. In the decorated theory 
of states State deco, let us assume that there are products V,- x Vj and V,- x 1 and 1 x Vj for all locations 
i and j. Then it is easy to check that the expansion of the decorated Equations (2)^ below gets inter- 
preted as Equations (2) in Remark fTTTI We use the simplified notations id\ = idy i and (}; = (}y ; and 
perm i j = perm Vj Vj . Equation (2.1)^ has been proved in Section [3^21 and Equation (2.6)d will be proved 
in Section [3^41 The other equations can be proved in a similar way. 

(2A)d Annihilation lookup-update. VZ G Loc, k,-oZ,- = id\ : 1 — X 1 

(2.2) d Interaction lookup-lookup. V/ G Loc, o (},• o = Z,- : 1 — X V; 

(2.3) ^ Interaction update-update. VZ G Loc, U{ o% 2 o («,- x W,-) = w,- o 7i 2 : Vj x V, • — s> 1 

(2.4) d Interaction update-lookup. Mi G Loc, Z,-owj ~ /J,- : Vj —> Vj 

(2.5) d Commutation lookup-lookup. V i ^ j G Loc, // o ( ), o = permj t o /,• o ( ) j o Zy : 1 — X V,- x V} 
(2.6X/ Commutation update-update. V/ / Loc, w ; - o 7T 2 o (it,- x z<i ; ) = w, o 7Ti o (id t x «;) : V,- x Vj -> 1 
(2.7)rf Commutation update-lookup. Vz / j G Loc, // o = n 2 o (z'd; x Z ; ) o (w ; x idy) o 71^ 1 : V,- — X Vj 
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3.4 Commutation update-update 

Proposition 3.3. For each locations i^ j, the order of storing in the locations i and j does not matter, 
uf o nf ] o ( Ui x idj) {2) = uf ] o nf ] o (idj x Uj ) {2) : V t x Vj -»• t . 

Proof. In order to avoid ambiguity, in this proof the projections from Vj x 1 are denoted 7Ti ,• and 712,/ and 
the projections from 1 x V) are denoted K\j and n 2 j, while the projections from Vj x Vj are denoted 7Fyj 
and 7C2,(j- It follows from Section [331 that TTi j and 712,7 are isomorphisms, while the derived rule (Ej ) 
implies that 7i2j = (); and TVij = {) j. Using the unicity property of the observational product, we have 
to prove that l k o uj o 7l 2 j {uj x idj) ~ 4 m o Tlij o (idj x wy) for each location k . 

• When k ^ i,j, let us prove independently four weak equations (Wi) to (W4): 

(^2) h°uj~h o 0j 

(—subs) 



Zjfe o M ; o % 2 ,j ° («i X idj) ~ Zjfc O (}y O 7t2J o (Mj X (W[ ) 



(£ 3 (0) ) -77 '— (right-prod) %- 

3 ( >,• o7ta j = %\ j Uj x id j 
(=-subs) -^77 / — — — -. — — (right-proj-1) 



() jo %i jo (uj * idj) = %\ j o (uj x idj) ' ' %\ j o (uj x id ,) = Uj o %\ 

(=-trans) ■ '-— — — ■ ■ — 

{)jo7t 2 io{ui><iidj) = Ui07tiji 

(=" re P 1 ) ~, — a ? T T\ i 

o ^ lk°{)j° 7l2,j 0{UjX idj ) = l k 0Uj0 m .j.j 

k°()j° Xij ° {uj x idj) ~ o uj o m^j (W 2 ) 

(E^ 



(-subs) {A2)hou^l k o{), _ 3 (Ww^hxVQ 

lkOU i o7C 1A j~l k o(} i o7C lti j (W 3 ) koQjOTtHj^koOy.xy. 

( -to--) 



k°()i° 7t U j ~ 4 o ()viXVj (W4) 

Equations (Wi) to (W4) together with the transitivity rule for ~ give rise to the weak equation 
4 o uj o 7T2,y iuj x idj) ~ 4 OviXV- A symmetric proof shows that l k o Uj o TTi,/ o (idj x tty) ~ 
4 OvjxVj- With the symmetry and transitivity rules for ~, this concludes the proof when k ^ i,j. 

When k = i, it is easy to prove that lj o Uj o n\i o (idj x Uj) ~ Kijj, as follows. 

(Ai ) h o Uj ~ idj u i 

(—subs) \, ' ——, (left-proj-1) 



lj o Uj o m j o (idj K M/) ~ ^1 j o (idj X M ,) 7Ci o (iii,- K Uj) ~ 7Ti i ; 

(~-trans) ! — : — 

lj o Uj o n u o (idj x uj) - /T : / ; 

Now let us prove that /,• o uj o n 2 j o (uj x idj) ~ as follows. 

( £ f) 



()j°7C 2 J = 0ixVj 

(=-repl) 



(A 2 ) ljOUj~ljo{)j li°0jon2j = lio() txVj 

(~-subs) — 77 (=-to-~) 



liOUj0 7C2J~h°(}j°7C2J li°()j°7C2J~k°(}txVj 

(—trans) — 

ljOUjO% 2 j ~ ljO{) lxVj 

(^-subs) — 

li o Uj o % 2 j o (uj x idj) ~ Ijo OtxVj ° (uj x idj) (W { ) 



J.-G. Dumas, D. Duval, L. Fousse & J.-C. Reynaud 



59 



(4 0) ) 7T == 

(=-subs) — — — — (nght-proj-1) — 

{/IxVj ° ("i X idj) = 7CijO{Ui X! idj) 7tijO(Ui X! idj) = UiOTtijj 

(=-trans) — 

QtxVj o («,• X! idj) = Uion U j 

_ k ° OtxVj ° («i XI zd ; ) = o m o K\j.j 

k ° OtxVj ° («/ X «//) ~ ^ «i ° &l,fj (W5) 

(Ai) (io«i — z'di 
(^-subs) — — 

/; o Ui o 7l\,j,j ~ Ttlj/J (W3) 

Equations (W/) to (W 3 ') and the transitivity rule for ~ give rise to o Uj o Ti 2 j («/ x ^7) ~ ^UJ- 
With the symmetry and transitivity rules for ~, this concludes the proof when k = i. 

• The proof when k = j is symmetric to the proof when k = i. 

□ 



Conclusion 



In this paper, decorated proofs are used for proving properties of states. To our knowkedge, such proofs 
are new. They can be expanded in order to get the usual proofs, however decorated proofs are more 
concise and closer to the syntax; in the expanded proof the notion of effect is lost. This approach can be 
applied to other computational effects, like exceptions MDumas et al. 2012allDumas et al. 201 2b 1. 
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